Automate mobile users allowed to log in to a system as the first user to login only.

Eyoung
Contributor

I am building out a laptop one-to-one program and am using mobile accounts (AD). Does anyone know if it is possible to automate the setting that allows only a specific user to create a mobile account? I would Love to be able to set the system to allow only the first mobile login, then lock it out.

its a bit much to do it in the GUI for 700 macbook airs: System Preferences/Users & Groups/Login Options/Allow network users to log in at the login window/Options/Only these network users:define the user

any help appreciated πŸ™‚

1 ACCEPTED SOLUTION

gregneagle
Valued Contributor

You are halfway there!

Add the user to the com.apple.loginwindow.netaccounts group, and add that group to the com.apple.access_loginwindow group:

/usr/sbin/dseditgroup -o create com.apple.access_loginwindow
/usr/sbin/dseditgroup -o edit -a localaccounts -t group com.apple.access_loginwindow
/usr/sbin/dseditgroup -o edit -a com.apple.loginwindow.netaccounts -t group com.apple.access_loginwindow

You might want to look at the contents of a "manually" created com.apple.access_loginwindow group to get some of the additional attributes to match Apple's, but that's probably not entirely needed.

View solution in original post

22 REPLIES 22

davidacland
Honored Contributor II
Honored Contributor II

I think thats controlled through the local group "com.apple.loginwindow.netaccounts". You will just need to run a login script in Casper to add the user to the group. I'd probably use dseditgroup as it could be done in a one line command:

/usr/sbin/dseditgroup -o edit -a $3 -t user com.apple.loginwindow.netaccounts

Only thing I haven't checked is if this automatically enables the setting as well.

Eyoung
Contributor

thank you for the reply.

the command does add the desired user to the group. Unfortunately I do not see a way in dseditgroup to flag the setting to be "only these network users" it adds the users but stays as the default "all network users"

bentoms
Honored Contributor III
Honored Contributor III

@Eyoung Perhaps you can report on multiple AD accounts on the Macs & act then?

Eyoung
Contributor

With a one-to-one I'd much rather just turn the option off before the kids get wise to it. Worst case in the final setup for the system, we hit the button.

It's odd. there has to be a defaults write to just flip that switch!

gregneagle
Valued Contributor

You are halfway there!

Add the user to the com.apple.loginwindow.netaccounts group, and add that group to the com.apple.access_loginwindow group:

/usr/sbin/dseditgroup -o create com.apple.access_loginwindow
/usr/sbin/dseditgroup -o edit -a localaccounts -t group com.apple.access_loginwindow
/usr/sbin/dseditgroup -o edit -a com.apple.loginwindow.netaccounts -t group com.apple.access_loginwindow

You might want to look at the contents of a "manually" created com.apple.access_loginwindow group to get some of the additional attributes to match Apple's, but that's probably not entirely needed.

View solution in original post

donmontalvo
Esteemed Contributor II

@gregneagle you do realize you have to physically be at JNUC2015 to collect all the beer we all owe you for all your help. πŸ™‚

--
https://donmontalvo.com

mm2270
Legendary Contributor II

Lol, still trying @donmontalvo? I'll give you an A for effort, that's for sure.
I have a feeling Greg's response might be that if any of us want to buy him beer, we need to physically be at the conferences he attends.

Oh, that reminds me. I need to get back to you! I did see your email from the other day so Im not ignoring you πŸ™‚
I'll send you a response in just a bit.

Eyoung
Contributor

@gregneagle thank you Very much for the dseditgroup command. Unfortunately... it seems to disable network users from logging in?!? I set it as a login policy set to run once

Below is my script content, I assume I am missing something from what you originally posted.. or is it due to being set to run at login at the first login for a network user? thanks

!/bin/sh

script to add the user loggin in to the network accout group and then make it so that only that user can log in

/usr/sbin/dseditgroup -o create com.apple.access_loginwindow
/usr/sbin/dseditgroup -o edit -a localaccounts -t group com.apple.access_loginwindow
/usr/sbin/dseditgroup -o edit -a com.apple.loginwindow.netaccounts -t group com.apple.access_loginwindow

gregneagle
Valued Contributor

eyoung: You forgot to do the first part: which was to add your desired user to the com.apple.loginwindow.netaccounts group as discussed earlier in the thread. Without that, you desired network user won't be in the list of allowed users -- in fact most likely that list will be empty and no network users will be able to login at all.

Eyoung
Contributor

can I claim that I did not read the post 5 times over the weekend and just looked at the answer before I had my coffee this morning and thats why i'm such a dumbass? πŸ™‚

Testing with the WHOLE command now. thank you again for the help.

Eyoung
Contributor

Ok. Tested with all the parts. Still just disables network accounts from logging in

I tried it as one command, and then separated into two scripts run in sequence, same results.

gregneagle
Valued Contributor

Post your entire script. I did test this before I posted and it works as expected here.

Also:
Read the contents of both groups after your script runs:

dscl . read /Groups/com.apple.loginwindow.netaccounts
dscl . read /Groups/com.apple.access_loginwindow

Do they have the expected memberships?

Eyoung
Contributor

!/bin/sh

/usr/sbin/dseditgroup -o edit -a $3 -t user com.apple.loginwindow.netaccounts
/usr/sbin/dseditgroup -o create com.apple.access_loginwindow
/usr/sbin/dseditgroup -o edit -a localaccounts -t group com.apple.access_loginwindow
/usr/sbin/dseditgroup -o edit -a com.apple.loginwindow.netaccounts -t group com.apple.access_loginwindow

Eyoung
Contributor

the output of the reads are:

bash-3.2$ dscl . read /Groups/com.apple.loginwindow.netaccounts
AppleMetaNodeLocation: /Local/Default
GeneratedUID: 0EAD561B-4B2F-48B9-8030-DE45EA3D740C
PrimaryGroupID: 502
RecordName: com.apple.loginwindow.netaccounts
RecordType: dsRecTypeStandard:Groups
bash-3.2$ dscl . read /Groups/com.apple.access_loginwindow
AppleMetaNodeLocation: /Local/Default
GeneratedUID: 78BDE4D1-EF82-47B2-9CBB-404B99D672F9
NestedGroups: ABCDEFAB-CDEF-ABCD-EFAB-CDEF0000003D 0EAD561B-4B2F-48B9-8030-DE45EA3D740C
PrimaryGroupID: 501
RecordName: com.apple.access_loginwindow
RecordType: dsRecTypeStandard:Groups
bash-3.2$

bentoms
Honored Contributor III
Honored Contributor III

@Eyoung are you running this script via the JAMF binary at either login or self service?

Those are the only two places that the username is passed to $3.

Eyoung
Contributor

@gregneagle thank you again for the help. this is unfamiliar territory for me. I'm sure I am missing something obvious causing the issues myself πŸ™‚

gregneagle
Valued Contributor
the output of the reads are: bash-3.2$ dscl . read /Groups/com.apple.loginwindow.netaccounts AppleMetaNodeLocation: /Local/Default GeneratedUID: 0EAD561B-4B2F-48B9-8030-DE45EA3D740C PrimaryGroupID: 502 RecordName: com.apple.loginwindow.netaccounts RecordType: dsRecTypeStandard:Groups

And com.apple.loginwindow.netaccounts has no users/members, so clearly $3 is empty/undefined when you run that script. This causes your issue: since there are no users in com.apple.loginwindow.netaccounts, no network users may login.

bash-3.2$ dscl . read /Groups/com.apple.access_loginwindow AppleMetaNodeLocation: /Local/Default GeneratedUID: 78BDE4D1-EF82-47B2-9CBB-404B99D672F9 NestedGroups: ABCDEFAB-CDEF-ABCD-EFAB-CDEF0000003D 0EAD561B-4B2F-48B9-8030-DE45EA3D740C PrimaryGroupID: 501 RecordName: com.apple.access_loginwindow RecordType: dsRecTypeStandard:Groups bash-3.2$

Eyoung
Contributor

GAH. I was NOT testing the iterations IN the JAMF binary. If I run it as a policy @ login (as I intend to) it (of course) works!

jhbush
Valued Contributor II

@donmontalvo and @mm2270 we should all pitch in and just have a few kegs delivered to Disney.

Eyoung
Contributor

Absolutely!!

donmontalvo
Esteemed Contributor II

@jhbush1973 wrote:

@donmontalvo and @mm2270 we should all pitch in and just have a few kegs delivered to Disney.

As long as I don't have to deliver it to @gregneagle in a tutu. That train left the station a long time ago.

--
https://donmontalvo.com

jaharmi
Contributor

@Eyoung, I have gotten in the habit of testing policy scripts from the command line with parameters. I usually use blank (empty quoted string) or meaningless parameters for each of the ones I don’t care about.

path/to/script "" "blah" "user_id"

You also have to run with appropriate privileges.